Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I guess I have to clarify how the SmartCard-HSM relates to CVCs:

In it's core, the SmartCard-HSM is a secure key store for RSA and ECC
keys, that unlike other PKI token has key management function that you
normally find in large (and expensive) HSMs (Key Backup, Cluster
Operation, Key Offloading).

One of these function is the ability to have a trusted channel between
the device and the RA/CA. This trusted channel is established using Chip
Authentication known from ePassports and eID cards. But while in
Passports the authenticity of the chip authentication public key is
based on passive authentication and the docsigner / CSCA certificate,
the authenticity in the SC-HSM is proved using a CVC based PKI.

Just like in EAC, where you have a CVCA, DVCA and terminal certificate,
in a SmartCard-HSM you have a Scheme Root CA (CRCA), Device Issuer CA
(DICA) and a device certificate. The ECC public key for chip
authentication is certified in the device certificate and linked to the
unique id of the SmartCard-HSM.

In addition, newly generated public keys are exported in the
authenticated CVC request format as per TR-03110. The inner signature is
provided by the private key, the outer signature by the device
authentication key or any other key on the device. The later is used in
an EAC PKI to renew certificates.

The SmartCard-HSM can of course be used with EJBCA, either via OpenSC or
using the multithreading-enabled PKCS#11 Module from the sc-hsm-embedded
project.

Andreas

On 07/16/2014 08:50 AM, Christian Felsing wrote:
> Am 15.07.14 15:29, schrieb Tomas Gustavsson:
>>
>> On 2014-07-15 13:38, Christian Felsing wrote:
>>> Hello,
>>>
>>> while trying to create a CVC CA in EJBCA Community I got following message:
>>>
>>> CVC CA type is not available in this version of EJBCA
>>>
>>> Does that mean community edition does not support CVC?
>>
>> That is correct. Since it's so specific for country/government usage 
>> there is no possibility to maintain it for free, and the community is 
>> pretty small.
>>
>> Cheers,
>> Tomas
> 
> CVC is not only for government related applications, there is an open source project sc-hsm which also supports CVC, because that
> card will claim to be suitable for CVC applications. With this card ejbca may become a solution für CVC based application besides
> government applications.
> 
> At demo.openscdp.org s a demo for EAC-PKI applications.
> 
> cheers
> Christian
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com